Re: [Astlinux-users] Deny EXT -> Local

Mon, 16 Aug 2021 23:44:38 -0700 

Thanks Lonnie.

Hmm that's a bit yucky. I suppose a third option is to use netset.

Regards
Michael Knill

On 17/8/21, 12:52 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:

    Hi Michael,

    You are not missing anything, there is no selective "Deny EXT->Local" as 
that is the default.

    Two solutions come to mind ...

    1) Recreate the "Pass EXT->Local" to multiple entries to not include what 
you don't want to allow.

    2) Add a custom rule in /mnt/kd/arno-iptables-firewall/custom-rules to 
implement the desired "Deny EXT->Local".

    -- untested example custom-rules --

    deny_ext_local()
    {
      local proto="$1" host="$2" port="$3"

      echo "[CUSTOM RULE] Deny EXT->Local for Proto: $proto, Host: $host, Port: 
$port"
      iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j 
POST_INPUT_DROP_CHAIN
    }
    deny_ext_local udp 1.2.3.4 5060
    deny_ext_local tcp 1.2.3.0/24 5061

    --
    (and test)


    Lonnie



    > On Aug 16, 2021, at 8:02 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    > 
    > Yes.
    > 
    > Regards
    > Michael Knill
    > 
    > On 17/8/21, 10:35 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
    > 
    >    Are you saying you added a "Pass EXT->Local" but now want to deny a 
subset of that ?
    > 
    >    Lonnie
    > 
    > 
    > 
    >> On Aug 16, 2021, at 6:20 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    >> 
    >> Hi Group
    >> 
    >> Forgive my ignorance but just wondering how I do this. I want to block 
some addresses trying to register to the box from external.
    >> PS its not SIP bots etc. Its known trusted addresses.
    >> 
    >> Thanks
    >> Regards
    >> 
    >> Michael Knill
    >> Managing Director
    >> 
    >> D: +61 2 6189 1360
    >> P: +61 2 6140 4656
    >> E: michael.kn...@ipcsolutions.com.au
    >> W: ipcsolutions.com.au
    >> 
    >> <image001.png>
    >> Smarter Business Communications
    >> 
    >> _______________________________________________
    >> Astlinux-users mailing list
    >> Astlinux-users@lists.sourceforge.net
    >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
    >> 
    >> Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    > 
    > 
    > 
    >    _______________________________________________
    >    Astlinux-users mailing list
    >    Astlinux-users@lists.sourceforge.net
    >    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    >    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    > 
    > 
    > _______________________________________________
    > Astlinux-users mailing list
    > Astlinux-users@lists.sourceforge.net
    > https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    > Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.



    _______________________________________________
    Astlinux-users mailing list
    Astlinux-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/astlinux-users

    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.


_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to